django_xmlrpc

403 error caused by CSRF

Bug #607389 reported by Seth Hill on 2010-07-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	django_xmlrpc	New	Undecided	Unassigned

Bug Description

Django's CSRF protection is turned on by default now, and is quite effective at blocking cross site requests, including RPC requests like this.

Symptoms:
Valid XMLRPC requests to the xmlrpc endpoint are greeted with a 403 Forbidden response. This is generated by the CSRF middleware because a CSRF token isn't being included in the POST.

Resolution:
Turn of CSRF for the handle_xmlrpc method.

In django_xmlrpc/views.py, add the csrf_exempt decorator to the handle_xmlrpc method:
from django.views.decorators.csrf import csrf_exempt
...
@csrf_exempt
def handle_xmlrpc(request):
....

Tags:

Revision history for this message

Shah Japan (jsh.axelor) wrote on 2010-09-13:

instead of using csrf_exempt, one should pass the csrf_token, right?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.